I already wrote a blog post about setting up GeoIP resolution for Wireshark in 2013. Now, almost exactly five years later I had to decide if I replace that one with an updated version, or to write a second, updated post instead. I choose the second option.
Since it happens that users run on old Wireshark versions for various reasons I decided against rewriting the existing blog post, even though I always recommend choosing the latest stable version. But sometimes it can’t be helped, e.g. when the OS repositories like Debian’s APT only offer old versions, or if you need a specific version to run custom plugins. Anyway, if you need to setup GeoIP resolution for versions before Wireshark version 2.6, look at this post instead.
Wireshark 2.6 and GeoLite2
Starting with Wireshark 2.6, the format the GeoIP database used by Wireshark has changed to use the newer GeoLite2 format of the MaxMind databases. If you had configured an older Wireshark version with the previous “legacy” databases you’ll have to remove the old legacy DB files and replace them with the new ones, as well as reconfigure the 2.6 installation with new preference settings to point them to the database files. But first, you need to get them at https://dev.maxmind.com/geoip/geoip2/geolite2/
Unpack the database files into a directory of your choice. I usually put them into a sub directory of my Wireshark profile folder, which would be c:\Users\Jasper\Appdata\Roaming\Wireshark\GeoIP:
Hint: Make sure that you put the .mmdb files into the directory you want to use, not the compressed archives. Also, do not put the files in sub folders – they all need to be in a single directory.
Then it’s time to reconfigure Wireshark:
In my experience, Wireshark doesn’t always immediately show GeoIP resolutions, but at least after restarting it the decode pane should show the results:
Auto Updating the database files
I wrote a small Windows batch script that pulls the latest files from the MaxMind website and unpacks them into a directory. You can use it e.g. as something that the Task Schedules runs every once in a while to keep your files current. I put the script on GitHub here:
Command line bonus
If you looked closely at the Wireshark 2.6 installer you may have noticed that there is a new command line utility called mmdbresolve. This is a tool that can be used to perform GeoIP resolutions via the CLI. First I tried it like this (my inputs in green):
[C:\Program Files\Wireshark]mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb 188.8.131.52 [init] db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb db.0.status: OK db.1.type: GeoLite2-City mmdbresolve.status: true # End init Usage: mmdbresolve -f db_file [-f db_file ...] [C:\Program Files\Wireshark]
This obviously didn’t work. Using the tool without an IP address put it into an interactive mode:
[C:\Program Files\Wireshark]mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb [init] db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb db.0.status: OK db.1.type: GeoLite2-City mmdbresolve.status: true # End init 184.108.40.206 [220.127.116.11] # GeoLite2-City country.iso_code: DE country.names.en: Germany location.latitude: 51.299300 location.longitude: 9.491000 # End 18.104.22.168 ^C [C:\Program Files\Wireshark]
But after fiddling around a bit I found a way to get it to work:
[C:\Program Files\Wireshark]echo 22.214.171.124 | mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-A SN.mmdb -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-Country.mmdb [init] db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb db.0.status: OK db.1.type: GeoLite2-City db.1.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-ASN.mmdb db.1.status: OK db.2.type: GeoLite2-ASN db.2.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-Country.mmdb db.2.status: OK db.3.type: GeoLite2-Country mmdbresolve.status: true # End init [126.96.36.199] # GeoLite2-City country.iso_code: DE country.names.en: Germany location.latitude: 51.299300 location.longitude: 9.491000 # GeoLite2-ASN autonomous_system_organization: FNH media KG autonomous_system_number: 31197 # GeoLite2-Country country.iso_code: DE country.names.en: Germany # End 188.8.131.52 [C:\Program Files\Wireshark]